Transcript Slide 1

Designing Internal Control
Systems for Small- and
Medium-Sized Entities
Presented by Larry L. Perry, CPA
CPA Firm Support Services, LLC
7/20/2015
www.cpafirmsupport.com
1
Learning Objectives
 Review the fundamental concepts and the
components of internal control
 Understand how to design and operate
effective accounting and internal control
systems for smaller entities
 Consider flowcharts for documenting financial
reporting and internal control systems
7/20/2015
www.cpafirmsupport.com
2
The Foundation of Internal
Control--COSO




Internal control is a process. It is a means to an
end, not an end in itself.
Internal control is not merely documented by policy
manuals and forms. Rather, it is put in by people at
every level of an organization.
Internal control can provide only reasonable
assurance, not absolute assurance, to an entity’s
management and board.
Internal control is geared to the achievement of
objectives in one or more separate but overlapping
categories.
7/20/2015
www.cpafirmsupport.com
3
In the Beginning--COSO
 Committee of Sponsoring Organizations of the
Treadway Commission—1985

Formed to study and report on factors that lead
to fraudulent financial reporting
 Published Internal Control—Integrated
Framework—1992
 Published Internal Control over Financial
Reporting—Guidance for Smaller Public
Companies—2006
 Published updated Internal Control—Integrated
Framework--2013
7/20/2015
www.cpafirmsupport.com
4
The COSO Framework—Still
Standing
 Components





Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
 Principles added in 2013
7/20/2015
www.cpafirmsupport.com
5
The Tone at the Top and the Bottom
 Control environment
 Sets the tone of the organization
 The foundation of all other components
 Includes the integrity, ethical values and
competence of personnel
 Management is the primary influence:
 Operating philosophies and style
 Ways of assigning responsibility and authority
 Ways of developing and organizing employees
 Board of directors governance activities
 Employees do as management
does, not as they say!!!
7/20/2015
www.cpafirmsupport.com
6
The Entity’s Risk Assessment
Process
 Risk comes from internal and external sources



Risk is based on operational and financial
objectives
The identification and analysis of risks that affect
the accomplishment of objectives should result
corrective action
Risk assessment becomes the basis for deciding
how the various risks should be controlled
7/20/2015
www.cpafirmsupport.com
7
Polling Question No. 1
 If an entity has an effective control
environment, none of the other components
of internal control are necessary.


7/20/2015
A. True
B. False
www.cpafirmsupport.com
8
Control Activities May Be Formal or
Informal
 Control Activities




Ensure application of management’s policies
and procedures
Ensure risks are detected on a timely basis and
managed
Provide asset security and internal checks for an
accounting system
Occur in all accounting functions, at the entity
level (key controls) and at the activity level
7/20/2015
www.cpafirmsupport.com
9
Key Controls
 Key controls are considered primary to
accomplishing an internal control objective
 Management may focus on key controls to
evaluate design and operating effectiveness
 Owners and managers provide key controls
for small entities
7/20/2015
www.cpafirmsupport.com
10
How Key Controls Work
 Considering the nature, size and complexity of an entity
and its key controls




Control environment—the tone at the top
Entity’s risk assessment process
 Management considers financial reporting objectives,
financial reporting risks, fraud risks, etc. and designs
and/or operates preventive controls and anti-fraud
programs
Entity’s internal control communication process
 Internal and external communications by management
provide information that prevents misstatements
occurring and going undetected
Entity’s internal control monitoring process

7/20/2015
Management’s involvement in operations day-to-day,
through budget utilization, by using analytical procedures
or by simple “walk-around” controls provides assurance
controls are working
www.cpafirmsupport.com
11
Activity-Level Controls
 The financial reporting system
 Internal check functions performed by
management and others
 General and applications controls over
information processing
 Controls for safeguarding assets
 Performance measurements
 Separation of duties
7/20/2015
www.cpafirmsupport.com
12
Information Systems—the Keys for
Success
 Information and communication
 The identification, capture and communication of
timely information
 Operational and financial reports necessary for
production and management (internal and
external)
 Communication of the importance of internal
control responsibilities
 Lines of communication for feedback to
management
7/20/2015
www.cpafirmsupport.com
13
The Internal Check-Up
 Monitoring

On-going procedures during operations



Employees
Management
Separate evaluations


7/20/2015
Related to assessment of specific risks
Internal audit of compliance in larger entities
www.cpafirmsupport.com
14
Polling Question No. 2
 A good system of internal control for a small
entity contains which of these features?





7/20/2015
A. An owner or manager with high integrity
B. Auditors that perform monthly risk assessment
procedures
C. Accounting software with developmental
modules
D. An internal audit department
E. None of the above
www.cpafirmsupport.com
15
Using a Small Audits Internal Control
Questionnaire
 Key controls drive management’s risk
assessment process
 The SAICQ should focus on assessing risks for
assertions at the financial statement
classification level
 Only relevant assertions should be considered
 The absence of key controls or key controls
operating improperly can be potential risks of
misstatement
7/20/2015
www.cpafirmsupport.com
16
Flowchart Preparation
 To facilitate the risk assessment process, flowcharts should be




designed to capture the risks resulting from the information
flows of each transaction cycle
A flowcharting guide or other reference materials should be
used to make sure all data, documents and accounting system
procedures are included and sufficient “what could go wrong”
questions are asked
Flowcharting techniques should include standard organization
that demonstrates the transactions’ flow from beginning to end
A SAICQ or other reference material should be used to identify
key and activity-level controls on the flowchart
Flowcharts may be prepared using the draw symbols in Word or
Excel, with flowcharting software programs or the old-fashioned
way with template, pencil and paper
7/20/2015
www.cpafirmsupport.com
17
Polling Question No. 3
 Reasons for using flowcharts to document
accounting and internal control systems include
which of the following?




A. A logical transaction flow facilitates analysis
B. It makes the CFO look really good
C. It is an easy way for the CFO to hide things
D. None of the above
7/20/2015
www.cpafirmsupport.com
18
Designing Cost-Effective Internal Control
Systems for Smaller Entities--COSO
Oversight by owner or
6. Achieving further
manager
efficiencies
2. Effective board of
a. Use a risk-based
directors
approach
3. Overcoming lack of
b. Create relevant
segregation of duties
documentation of IC
4. Limiting risks associated
policies and
with the IT system
procedures
5. Monitoring control
c. Document evidence of
activities
performing IC
a. Establish foundations
procedures
b. Focus monitoring
procedures on key
controls
c. Assessing and
reporting results www.cpafirmsupport.com
19
7/20/2015
1.
Conclusion
 Internal control and fraud prevention are the responsibilities





of management.
Internal control systems are always relevant to the nature,
size and complexity of an entity.
Key controls designed and operated by owners or managers
of small entities are the primary methods of preventing and
detecting errors and fraud.
Internal control procedures should provide reasonable
assurance that errors or fraud will not occur and go
undetected.
The benefits of internal control procedures should outweigh
their costs.
The design process includes understanding accounting
systems and existing internal controls, identifying what could
go wrong and designing cost-beneficial control activities and
anti-fraud programs that are likely to prevent and detect errors
and fraud.
7/20/2015
www.cpafirmsupport.com
20
Polling Question No. 4
 The best way to design an internal control
system for small entities is to use all the
procedures on an ICQ for a large entity


A. True
B. False
7/20/2015
www.cpafirmsupport.com
21
The End
 What to do if you want more
 Email Larry Perry: [email protected] with
questions
 Visit www.cpafirmsupport.com for webcast resources
 Register for free email newsletter on CPA Firm Support
website
 Read Larry Perry’s blog and articles, Today’s World of
Audits, at www.accountingweb.com under the Bloggers
Crew tab and A&A articles for small audit and other
subjects
 Watch for Larry Perry’s Performing Small Audits, Reviews
and Compilations for Entities using Special Purposte
Frameworks (including the AICPA’s FRF for SMEs) from
Wiley & Sons in 2015
7/20/2015
www.cpafirmsupport.com
22